Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6fc6a3c authored by Jeff Tinker's avatar Jeff Tinker
Browse files

Fix for security vulnerability in media server 

bug: 23540426
Change-Id: Ifb12ac3350410a49ba7d81d1bde12822c3008cd5
parent ed555d70

media/libmedia/ICrypto.cpp

+19 −1
Original line number Diff line number Diff line
@@ -303,7 +303,25 @@ status_t BnCrypto::onTransact( 
            AString errorDetailMsg;

            ssize_t result;



            if (offset + totalSize > sharedBuffer->size()) {

            size_t sumSubsampleSizes = 0;

            bool overflow = false;

            for (int32_t i = 0; i < numSubSamples; ++i) {

                CryptoPlugin::SubSample &ss = subSamples[i];

                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) {

                    sumSubsampleSizes += ss.mNumBytesOfEncryptedData;

                } else {

                    overflow = true;

                }

                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) {

                    sumSubsampleSizes += ss.mNumBytesOfClearData;

                } else {

                    overflow = true;

                }

            }



            if (overflow || sumSubsampleSizes != totalSize) {

                result = -EINVAL;

            } else if (offset + totalSize > sharedBuffer->size()) {

                result = -EINVAL;

            } else {

                result = decrypt(